[Owasp-leaders] WSJ: Software Security

Justin Clarke justin at justinclarke.com
Mon Mar 9 06:56:18 EDT 2009

On 09/03/2009 09:40, "AF" <antonio.fontes at gmail.com> wrote:

> On Sat, Mar 7, 2009 at 12:59 AM, Marco M. Morana
> <marco.m.morana at gmail.com> wrote:
>> " ...to capture how those 9 companies have done it.."
>> I counted: (1) Adobe, (2) EMC, (3) Google, (4) Microsoft, (5) QUALCOMM, (6)
>> Wells Fargo, and (7) Depository Trust & Clearing Corporation (DTCC)
>> wonder who the other two "incognitos" are.. just curiosity and math :)

I suspect I know who at least one more of the companies is, and they are
indeed a large financial services shop with a huge number of developers.  I
am also involved in a number of initiatives either deploying SAMM, or
activities mapped to SAMM, as my company does some work in this area with
Fortify (who sponsored/participated in both efforts).

> 1. Do you believe that an organization can do BSI without outside
> consulting services and leverage products they already have? -> Can a
> small company actually code securely without spending thousands in
> consulting services or buying full-blown security vendor products?

Yes. If you have the appropriate skillsets in house, or an effective team of
people who are willing to learn and experiment to find what works for the
organisation and have the mandate to be able to bring around the change
necessary. BSI-MM describes this as the Software Security Group (SSG). This
is probably the toughest part, although theoretically it should be easier to
force change in a smaller organisation, in my experience they are less able
or willing to cope with significant amounts of business process change.

> 2. How should software security roll up into an enterprise
> architecture strategy? -> How should a small company absorb secure
> development practices? What strategy is efficient? What is the
> recommended first step? And the second one?... ? Where does the
> Pareto's principle apply? Wouldn't setting up a robust web application
> firewall ruleset be the central key of web application security for
> SMBs ?

Also, how does it map to the organisation's compliance and governance needs?
To the contractual guarantees that have been given to customers as to the
security of supplied products?

I'm biased in that I think targeted assessment is a good first step (i.e.
find those root causes), but then I'm from a consulting background. I like
to have a better handle on how big the problem is before going much further.
You can achieve this by deploying a static analysis solution, but if that
isn't realistic you may be able to achieve this by leveraging some of the
analysis you already have on hand (i.e. Penetration testing) as well as
additional analysis through freely available tools. It doesn't need to be
bullet proof if you're only looking for ball park ideas of the scope of
effort, and identifying areas to start with.

> 3. We can all agree that static analysis is important, but in your
> opinion, what security activities within an IT ecosystem are more
> important? -> Yes, we all agree, here mostly. However, as I recall
> from some of my last year's customers thoughts: "let's ship and sell
> first. we'll improve the product through change management." What can
> developers do when security is not the main focus of their management?

We may all agree, but there is almost no independent evidence that any one
activity works better than another.  What is more effective - training
developers or threat modeling? Static analysis or penetration testing?
Arguably, many activities will be ineffective if you don't do several of
them at once.

I argue that we are all more comfortable with assessment of projects and
deliverables are they near shipping - security reviews, penetration testing
etc. Its generally accepted that it is good practice to do something about
security earlier in the process, but that's about it. Its far better to have
the tools in hand (i.e. Threat modeling, static analysis, training, security
architecture design etc) and apply these to what an organisation can
realistically do in the short term before moving on to more difficult areas.
You should also keep in mind that none of this is going to be a short
process - it could take years to get to where you want to go.

> 4. OWASP creates valuable working software and makes it freely
> available but it can't do this for all spaces. Do you think that other
> security organizations need to go beyond just awareness and actually
> deliver products that others can use in an open manner? -> Yes, more
> security organisations need to leverage ease of access to their
> knowledge, experience, tools, documents and whatsoever they have
> without forcing an interested party into some complex commercial
> process. I've heard of some appsec guys or developers who only
> evaluate security products, which they can easily get access to,
> without having to get in contact with commercials or "tell me your
> life"-forms.

This is a commercial reality. I don't think we're going to find companies on
the security vendor or consulting sides releasing any significant amount of
information and guidance unless it somehow benefits them, either
commercially or with public relations/marketing. I am personally a big fan
of vendors who have a limited version of a product that is available for
evaluation/non-commercial use. Carefully done, these aren't usable for the
enterprise who are their main target customers, but would be usable for
SME's and for evaluation in a security lab for an enterprise customer.

> 5. Enterprises especially in the financial services space are seeing
> their stocks decline to record lows and understand that cash is king.
> Likewise, many security tools are easily a million bucks when applied
> to enterprise scale. What advice would you provide to them for
> enabling security without a whole lot of money. -> A lot of answers
> reside in this question... : )

My recent experience with the UK market seems to say that if it isn't
happening already, its going to be deferred for now. Also, organisations may
have more ability to spend on the operational expenditure side (training,
consulting help) that on the capital expenditure side (solutions, tools),
however that is going to completely depend on the organisation. Perhaps now
if a good time to be a secure development training provider? Or consultant,
if you're good?

Best regards

Justin Clarke
Chapter leader - London

More information about the OWASP-Leaders mailing list